In the age of dumb terminals each user got a login ID and a password. That was used to connect to a mainframe and was mapped to specific permissions managed centrally. This was a pretty good arrangement since the user requested certain permissions, got those permissions granted, and eventually was able to access some mainframe resources. There were virtually no side effects.
As the client/server architectures developed, the same concept of a login ID and password continued but now there were many networks, each with their own policies for issuing a login ID and password. Each user was still required to request certain permissions, got those permissions granted, and gained access. But now this process had to be repeated for many systems and remembering the user ID and password for each system became onerous, never mind remembering the specific permissions the user had on each system.
At this point, various IDentity Management (IDM) products started to emerge to make the process of creating IDs and passwords simpler, and to provide more central management of permissions. This all seemed like a good thing, and as long as the scope of the IDM remained inside a single corporation, it offered significant advantages with few undesirable side effects for the user. Most corporations offered a means of changing and reviewing permissions and although the process was relatively cumbersome it was sufficient in the context of closed corporate environments.
As the Internet emerged the user's connected world expanded by leaps and bounds. Each user now had many identities: in their role at work, as a bank customer, as a parent, as a student, and so on. Unfortunately the management of identifiers and permissions did not evolve in the same way. The process of issuing login IDs and passwords simply migrated to the individual domains on the Internet (AOL, Yahoo, MSN, etc.) and the concept of identity become a unidirectional process—the user gives away information and gets back an identity defined entirely by a third party. This led to the current state of affairs where the user has essentially abdicated her right to privacy and third parties can aggregate the user's personal information at will and without her consent.
What is needed is a system by which the user is free to negotiate rights and privacy in a way that will consistently work for all networked interactions.